Use native TLS when certificate validation is disabled

[gschier]

Summary

• When "Validate TLS certificates" is disabled, use the OS native TLS stack (Secure Transport/SChannel/OpenSSL) instead of rustls
• Fixes TLS handshake failures against legacy servers (e.g. IBM WebSphere) that only support TLS 1.0, since rustls only implements TLS 1.2+
• No change to default behavior — rustls is still used when validation is enabled

Ref: https://yaak.app/feedback/posts/tls-handshake-eof-when-connecting-to-private-ibm-websphere-endpoint-works-when-s

Test plan

• Verify normal HTTPS requests still work with "Validate TLS certificates" enabled (rustls path)
• Verify requests work with "Validate TLS certificates" disabled against a standard HTTPS server (native-tls path)
• Verify requests work against a TLS 1.0-only server with validation disabled

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 67cbb06bb9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep PKCS#1 client keys working in native TLS path

The new validate_certificates == false flow loads CRT+KEY identities with native_tls::Identity::from_pkcs8, which only accepts PKCS#8 keys and rejects common BEGIN RSA PRIVATE KEY (PKCS#1) files; before this change, the same path went through yaak_tls::load_private_key and accepted PKCS#1/PKCS#8/EC keys. This introduces a regression where mTLS requests now fail for users who disable certificate validation and provide an RSA PEM key that previously worked.

Useful? React with 👍 / 👎.